cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1504
Views
5
Helpful
4
Replies

Apple TV NTP PAT source port

dporod
Level 1
Level 1

We are running into an issue where where our Apple TVs are unable to set date/time after they are reset.  They will try to go out to Apple time servers but from what I understand the Apple time servers will not accept NTP packets if the source port is not 123 or above 1024. Because we are using dynamic PAT the source port will only be 123 if it is not already in use. 

 

Any ideas of how to force our ASA 8.4 to use a certain range of source ports for NTP traffic?

 

4 Replies 4

ericgarnel
Level 7
Level 7


5. KNOWN WORK-AROUNDS: 
Cisco ASA operating system version 8.4(2) supports the use of the “FLAT” configuration keyword. Using this keyword allows firewall administrators to change the default range in which port randomization occurs. 

USE WITH NTP: 
Use the “FLAT” keyword to change the NTP source port randomization range from 0-1023 to 1024-65535. 

FURTHER READING: 
http://www.netcraftsmen.com/dynamic-pat-cont-with-pools-flat-round-robin-and-extended-pat/

ericgarnel
Level 7
Level 7

And for IOS NAT too

 

Command line entry
Router(config)#ip nat portmap NTP
Router(config-ipnat-portmap)#appl udp-rtp startport 1024 s
Router(config-ipnat-portmap)#appl udp-rtp startport 1024 size ?
  <64-65536>  size
 
Router(config-ipnat-portmap)#appl udp-rtp startport 1024 size 65536
Router(config)#exit
 
Router(config)#ip nat inside source list 10 interface GigabitEthernet0/0 overload portmap NTP
<this would change based on interface or pool of addresses>
Router(config)#end
Router(config)#do wr

Hi,

thanks for the hint, but the solution is still unclear to me.

i have tried out the following, using IOS:

--

ip nat portmap NTP

appl udp-rtp startport 1024 size 1024

ip nat inside source list 1 interface Dialer0 overload portmap NTP

--

where Dialer 0 is my wan port.

in my understanding this should move all of the UDP connection to 1024 -> 2048 source port (ok, the number of open ports may change), but tcpdump on the destination host state something different:

10:04:29.450036 IP sourceip.123 > destip.123: NTPv4, Client, length 48
10:04:29.450129 IP destip.123 > sourceip.123: NTPv4, Server, length 48

See that 123 is still used.

i am checking also:

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html#wp1049437

without luck

any advice?

should this be done on the internal interface, in my case Vlan 1, Vlan 7, Vlan ...?

Thank you very much in advance,

Daniele

Rishabh Seth
Level 7
Level 7

Hi,

If you are already aware of the ports that your internal device is going to use then you can create specific static nat for these ports and create dynamic NAT for rest of your internet traffic.

Refer :  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

 

Hope it helps,

R.Seth

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: